[Samba] (no subject)

Jonathon Reinhart jonathon.reinhart at gmail.com
Sun Mar 3 20:27:57 UTC 2019


Okay, so in conclusion of this thread:

- Using Realmd (even with winbind) on a Samba DC is a bad idea.
- I've updated my first blog post to specify realm in all-caps
- I've updated my second blog post to include SSH + Kerberos
- Using "idmap_ldb:use rfc2307 = yes" on all of my Samba DCs is okay.
- Only winbind template mode is currently supported on Samba DCs.

The additional UPN suffixes conversation continues in the other thread,
with subject "Joining a DC, was (no subject)".

Thanks for the input, everyone! When I write more blog posts, I'll post
them here for feedback.

Cheers,

Jonathon

On Sun, Mar 3, 2019 at 2:36 PM Rowland Penny via samba
<samba at lists.samba.org> wrote:
>
> On Sun, 3 Mar 2019 13:41:05 -0500
> Jonathon Reinhart <jonathon.reinhart at gmail.com> wrote:
>
> > On Sun, Mar 3, 2019 at 5:14 AM Rowland Penny via samba
> > <samba at lists.samba.org> wrote:
> > [snip]
> > > > Correct me if I'm wrong, but winbind (on a Samba DC) can **only**
> > > > use "template homedir" and "template shell", and will not respect
> > > > the RFC 2307 attributes in LDAP. Is that correct?
> > >
> > > Yes and no ;-)
> > >
> > > If you use the 'rid' backend, you must use the template lines. If
> > > you use the 'ad' backend, then the RFC2307 attributes in AD will be
> > > used.
> >
> > I'm asking about Winbindd on the DC itself, where, as I understand it,
> > there is no choice of idmap backend. The Samba Wiki [1] says:
>
> I must go to to specsavers :-(
>
> Yes, totally correct, you have to use the 'template' lines
> >
> > > ... setting up an ID mapping back end, such as ad (RFC2307) or rid,
> > > in the smb.conf file is not supported an [sic] can cause the samba
> > > service to fail.
> > > On a Samba Active Directory DC, Winbindd always reads the user IDs
> > > (UID) and group IDs (GID) from the values set in the uidNumber and
> > > gidNumber attributes set in the AD objects.
> >
> > That page goes on to say:
> >
> > > On a Samba DC, only the winbind template mode is supported.
> >
> > This doesn't seem to agree with what you've said; it strongly implies
> > that Winbindd, on a Samba DC, will never use the homeDirectory and
> > loginShell attributes.
>
> No it doesn't and the worst part is that I wrote a large part of
> that ;-)
>
> > This mailing list post from 2015 [2] seems to
> > agree.
> >
> > While we're on the topic, I've noticed that passing --use-rfc2307 to
> > `samba-tool domain provision` causes smb.conf to include this option:
> >
> >     idmap_ldb:use rfc2307 = yes
> >
> > That option is not documented in smb.conf [3].
>
> No, it isn't, but it is required to use the RFC2307 attributes and the
> other strange thing is, it isn't added by default to any other DC's you
> might add.
>
> >
> > Furthermore, this Samba Wiki page [4] says about that option:
> >
> > > It is recommended not to use those mappings on the DCs. The default
> > > idmap ldb mechanism is fine for domain controllers and less error
> > > prone.
> >
> > Which seems completely incorrect, given that the option was added
> > during AD provisioning.
>
> Well not doing something is always going to be less error prone ;-)
> What it is saying is:
> If you only use the DC for authentication, then the default idmap.ldb
> is sufficient. The problems can start if you have any other Unix
> machines and require the same numeric Unix IDs everywhere.
>
> >
> > I appreciate your help in clearing up some of this contradictory
> > information!
> >
>
> I appreciate your feedback, it helps to make the wiki better.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba



More information about the samba mailing list